aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLibravatar startx2017 <vradu.startx@yandex.com>2020-09-03 16:02:14 -0400
committerLibravatar startx2017 <vradu.startx@yandex.com>2020-09-03 16:02:14 -0400
commit0421623058694cb15d1b857f67f21e683e2aab55 (patch)
tree3c7ee0dd2e841e58bcd6d114cf66d53a6c51db95
parentmanpages: configuration for tunnel, chroot, private-home (diff)
downloadfirejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.gz
firejail-0421623058694cb15d1b857f67f21e683e2aab55.tar.zst
firejail-0421623058694cb15d1b857f67f21e683e2aab55.zip
manpages: configuration for user namespace, x11
Diffstat
-rw-r--r--src/man/firejail-profile.txt5
-rw-r--r--src/man/firejail.txt13
2 files changed, 12 insertions, 6 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 283b4ba15..bc8067f91 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -401,10 +401,12 @@ Sets the NO_NEW_PRIVS prctl. This ensures that child processes
401cannot acquire new privileges using execve(2); in particular, 401cannot acquire new privileges using execve(2); in particular,
402this means that calling a suid binary (or one with file capabilities) 402this means that calling a suid binary (or one with file capabilities)
403does not result in an increase of privilege. 403does not result in an increase of privilege.
404#ifdef HAVE_USERNS
404.TP 405.TP
405\fBnoroot 406\fBnoroot
406Use this command to enable an user namespace. The namespace has only one user, the current user. 407Use this command to enable an user namespace. The namespace has only one user, the current user.
407There is no root account (uid 0) defined in the namespace. 408There is no root account (uid 0) defined in the namespace.
409#endif
408.TP 410.TP
409\fBprotocol protocol1,protocol2,protocol3 411\fBprotocol protocol1,protocol2,protocol3
410Enable protocol filter. The filter is based on seccomp and checks the 412Enable protocol filter. The filter is based on seccomp and checks the
@@ -443,6 +445,7 @@ Enable seccomp filter and whitelist the system calls in the list for 32 bit syst
443Return a different error instead of EPERM to the process, kill it when 445Return a different error instead of EPERM to the process, kill it when
444an attempt is made to call a blocked system call, or allow but log the 446an attempt is made to call a blocked system call, or allow but log the
445attempt. 447attempt.
448#ifdef HAVE_X11
446.TP 449.TP
447\fBx11 450\fBx11
448Enable X11 sandboxing. 451Enable X11 sandboxing.
@@ -476,7 +479,7 @@ Example:
476xephyr-screen 640x480 479xephyr-screen 640x480
477.br 480.br
478x11 xephyr 481x11 xephyr
479 482#endif
480.SH DBus filtering 483.SH DBus filtering
481 484
482Access to the session and system DBus UNIX sockets can be allowed, filtered or 485Access to the session and system DBus UNIX sockets can be allowed, filtered or
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 5c4947694..8951dd25f 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -137,8 +137,9 @@ $ firejail --appimage krita-3.0-x86_64.appimage
137.br 137.br
138$ firejail --appimage --private krita-3.0-x86_64.appimage 138$ firejail --appimage --private krita-3.0-x86_64.appimage
139.br 139.br
140#ifdef HAVE_X11
140$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage 141$ firejail --appimage --net=none --x11 krita-3.0-x86_64.appimage
141 142#endif
142.TP 143.TP
143\fB\-\-audit 144\fB\-\-audit
144Audit the sandbox, see \fBAUDIT\fR section for more details. 145Audit the sandbox, see \fBAUDIT\fR section for more details.
@@ -1029,8 +1030,10 @@ $ firejail \-\-list
1029.br 1030.br
10307056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk 10317056:netblue:torrent:firejail \-\-net=eth0 transmission-gtk
1031.br 1032.br
1033#ifdef HAVE_USERNS
10327064:netblue::firejail \-\-noroot xterm 10347064:netblue::firejail \-\-noroot xterm
1033.br 1035.br
1036#endif
1034.TP 1037.TP
1035\fB\-\-ls=name|pid dir_or_filename 1038\fB\-\-ls=name|pid dir_or_filename
1036List files in sandbox container, see \fBFILE TRANSFER\fR section for more details. 1039List files in sandbox container, see \fBFILE TRANSFER\fR section for more details.
@@ -1514,7 +1517,7 @@ Parent pid 8553, child pid 8554
1514Child process initialized 1517Child process initialized
1515.br 1518.br
1516[...] 1519[...]
1517 1520#if HAVE_USERNS
1518.TP 1521.TP
1519\fB\-\-noroot 1522\fB\-\-noroot
1520Install a user namespace with a single user - the current user. 1523Install a user namespace with a single user - the current user.
@@ -1538,7 +1541,7 @@ $ ping google.com
1538ping: icmp open socket: Operation not permitted 1541ping: icmp open socket: Operation not permitted
1539.br 1542.br
1540$ 1543$
1541 1544#endif
1542.TP 1545.TP
1543\fB\-\-nosound 1546\fB\-\-nosound
1544Disable sound system. 1547Disable sound system.
@@ -2684,7 +2687,7 @@ Example:
2684.br 2687.br
2685$ sudo firejail --writable-var-log 2688$ sudo firejail --writable-var-log
2686 2689
2687 2690#ifdef HAVE_X11
2688.TP 2691.TP
2689\fB\-\-x11 2692\fB\-\-x11
2690Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension. 2693Sandbox the application using Xpra, Xephyr, Xvfb or Xorg security extension.
@@ -2845,7 +2848,7 @@ Example:
2845.br 2848.br
2846$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox 2849$ firejail --net=eth0 --x11=xephyr --xephyr-screen=640x480 firefox
2847.br 2850.br
2848 2851#endif
2849#ifdef HAVE_APPARMOR 2852#ifdef HAVE_APPARMOR
2850.SH APPARMOR 2853.SH APPARMOR
2851.TP 2854.TP
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-07-03 21:35:30 +0000